Windows 7 / Networking

---

Wireless Authentication Modes

Windows-based wireless clients can perform authentication using the following modes:

• Computer-only: Windows performs 802.1X authentication with computer credentials before displaying the Windows logon screen. This allows the wireless client to have access to networking resources such as Active Directory domain controllers before the user logs on. Windows does not attempt authentication with user credentials after the user logs on.
• User-only: By default, Windows performs 802.1X authentication with user credentials after the user logon process has completed. Windows does not attempt authentication with computer credentials before the user logon.
• Computer-or-user: Windows performs an 802.1X authentication with computer credentials before displaying the Windows logon screen. Windows performs another 802.1X authentication with user credentials either after the user has logged on or when the wireless client roams to a new wireless AP.

Problems with the default behavior of user-only authentication mode are as follows:

• A user cannot perform an initial domain logon to a computer because locally cached credentials for the user's user account are not available and there is no connectivity to the domain controller to authenticate new logon credentials.
• Domain logon operations will not be successful because there is no connectivity to the domain controllers of the Active Directory domain during the user logon process. Logon scripts, Group Policy updates, and user profile updates will fail, resulting in Windows event log errors.

Some network infrastructures use different virtual LANs (VLANs) to separate wireless clients that have authenticated with computer credentials from wireless clients that have authenticated with user credentials. If the user-level authentication to the wireless network and the switch to the user-authenticated VLAN occurs after the user logon process, a Windows wireless client will not have access to resources on the user-authenticated VLAN-such as Active Directory domain controllers-during the user logon process. This can lead to unsuccessful initial logons and domain logon operations such as logon scripts, Group Policy updates, and user profile updates.

To address the availability of network connectivity when performing user logon in useronly authentication mode and user-or-computer authentication mode when using separate VLANs, Windows Vista and Windows Server 2008 wireless clients support Single Sign On. With Single Sign On., you can specify that wireless network authentication with user credentials occur before the user logon process. To enable and configure Single Sign On., you can use the Wireless Network (IEEE 802.11) Policies Group Policy extension to configure a Windows Vista policy, or you can run netsh wlan with the appropriate parameters. For more information, see the section "Configuring Wireless Clients" in this tutorial.

Requirements for Wireless Authentication Modes

Only wireless clients running Windows Vista or Windows Server 2008 support Single Sign On.

Uses for Wireless Authentication Modes

Best practices for wireless authentication modes are the following:

• Use user-or-computer authentication mode; user authentication occurs after user logon. This is the default authentication mode.
• If you are using user-only authentication mode, configure your wireless profiles to enable Single Sign On. and perform wireless authentication with user credentials before user logon to prevent initial and domain logon problems.
• If you are using different VLANs for computer- and user-authenticated wireless clients and computer-or-user authentication mode, configure your wireless profiles to enable Single Sign On. and perform wireless authentication with user credentials before user logon to prevent initial and domain logon problems.